Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-20423

Privilege escalation (PR)/RCE from account through AWM view sheet

    XMLWordPrintable

Details

    • Unknown
    • N/A

    Description

      Steps to reproduce:

      1. As a user without script or programming right, edit your user profile (or any other document) with the wiki editor and add the content
        {{groovy}}println("Hello " + "from Groovy!"){{/groovy}}
        
      2. Edit the document with the object editor and add an object of type AppWithinMinutes.LiveTableClass (no values need to be set, just save)
      3. View the document

      Expected result:

      An error is displayed that the user cannot execute the Groovy macro.

      Actual result:

      Below "Entries", the text "Hello from Groovy!" is displayed, showing that the Groovy macro has been executed.

      This demonstrates remote code execution and privilege escalation from a simple user account with only edit rights on the own profile.

      The reason for this is that AppWithinMinutes.LiveTableViewSheet uses a hack for including the document's content that aims to securely include the document's content to work around XWIKI-5027 but after fixing XWIKI-5477, this hack is no longer secure but executes the document's content with the sheet's rights. This is also where the affects version comes from.

      Attachments

        Activity

          People

            tmortagne Thomas Mortagne
            MichaelHamann Michael Hamann
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: